Efficient Alert Management Lacking in Many Organizations: Report

Security alerts can be highly useful in protecting an organization against a data breach, but inefficient alert management can have serious consequences, a new report shows.

The study, conducted by IDC on behalf of FireEye, has revealed that roughly 15% of global organizations face more than 50,000 security alerts each month. In the United States, 37% of organizations receive over 50,000 alerts, while nearly one third of them have to deal with between 10,000 and 49,999 alerts.

According to the report, 35% of the 500 surveyed enterprises spend as many as 500 hours per month dealing with security alerts, which means at least three full time positions are needed just for alert management.

The problem is that more than half of the alerts are false positives, and roughly one third of them are redundant across multiple threat detection platforms. However, only 42% of the respondents say they have automated systems in place for ignoring duplicate alerts, while the rest review them manually.

When it comes to addressing alerts, 75% of those surveyed said it takes them less than 5 hours to respond to critical alerts. On the other hand, 60% of respondents said moderate alert responses take between 6 and 12 hours, while 30% indicated that it takes more than one day to handle low priority alerts. This gives potential attackers enough time to cause damage.

Another issue highlighted in the report is that the volume of alerts might be masking quality problems. Almost half of respondents review the configuration of their security product every month in an effort to reduce alerts, but close to 80% of those who took part in the survey believe the quality of their alerts is either excellent or almost excellent. According to FireEye, this indicates a gap in how alert quality is perceived.

Roughly half of most companies’ IT security budget goes to alert monitoring. However, 75% of organizations don’t have dedicated staff for monitoring alerts, and only 35% of organizations outsource, the report shows.

According to a study published last week by the Ponemon Institute and Damballa, organizations in the United States spend 21,000 hours per year on false positives, which translates into nearly $1.3 million wasted each year because of inaccurate intelligence.

“In resource-limited environments, every alert counts. Since most of us work in such environments, we need to ensure that we populate the work queue with only reliable, high fidelity, actionable alerts,” Joshua Goldfarb, Chief Security Strategist of FireEye’s Enterprise Forensics Group, said in a recent SecurityWeek column. “Fans of the conventional approach may say, ‘If I reduce from 100,000 alerts a day to 100 alerts a day, I may miss something.’ To those people, I would ask the following question: If you never look at 99% of your alerts, or you quickly dismiss them as false positives, what is the point of firing those alerts and what value do they add to security operations? Further, are you certain that you would not miss important alerts because their signal would be lost in the noise?”

“Before purchasing any technology intended to produce alerts destined for the work queue, we should ensure that it allows us to hone in on the activity we want to identify (the true positives/the signal), while minimizing the activity we do not want to identify (the false positives/the noise). As always, these technologies are tools that need to be properly leveraged as part of the larger people, process, and technology picture,” Goldfarb explained.

Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.